Keyfile Authentication with domain users

R2Tech

Hello,

Previously I had a Veyon 4.0.7 deployment working smoothly using keyfile configuration, but after updating to 4.10/4.1.1 this method no longer seems to work. I think this is due to the change on the keyfiles/folders having ACL rule requirements now. Previously I just copied the public key to the clients appdata/veyon/keys/public folder and that seemed to be enough for access from the Masters.

We are in a domain environment, but I do not want to use domain logon based authentication as the access checks cause teacher logon events on the DC for the client workstations, which throws our web filter for a loop and kicks students off the internet.

With the keyfile I start running into the same problem as I now have to specify a user group for access. I'd just set it to "Everyone" but this does not seem to be possible. Setting it to Domain\Domain Users also does not seem to grant access. Importing the key using the config generator also doesn't work and the key pair ID always differs between client and master.

What is the process to getting keyfile authentication to work like it did previously?

R2Tech

Finally got it to work with 4.2.2.

Setup is the following: lab with a Master. The Master will not be used by students, logon auth is unneeded and causes other issues.

First install Veyon with the master on a machine and generate a key pair (I just name it "teacher"). Export them to another folder (I put them on the file share for distribution later). Generate locations and computers in Location & Computers. You'll have to install the clients with either a config file included or utilize veyon-wcli to change authentication mode. The config will not set the key access control group, you'll need to set it with veyon-wcli. By default it pulls the highest privilege group available when the key pair is created (Administrators), but you'll actually want to have it for the lowest (Users).

//Config for Master/Client

General
   Authentication
      Method: Key file authentication

Computer Access Control
   x Grant access to every authenticated user (default)

Authentication keys
   Set Access group to "Users"

//Imports public key
"C:\Program Files\Veyon\veyon-wcli.exe" authkeys import teacher/public \\fileserver\share$\folder\teacher_public_key.pem

//Imports private key (Master Only)
"C:\Program Files\Veyon\veyon-wcli.exe" authkeys import teacher/private \\fileserver\share$\folder\teacher_private_key.pem

//Sets access group to Users (works with domain login as well)
"C:\Program Files\Veyon\veyon-wcli.exe" authkeys setaccessgroup teacher/public Users

//Sets access group to Users (works with domain login as well) (Master Only)
"C:\Program Files\Veyon\veyon-wcli.exe" authkeys setaccessgroup teacher/private Users

One gotcha I learned is that the Veyon uninstaller will not remove keys. If you generated new keys for a new version but with the same name, the old ones will have to be deleted first because the import will not work if a file with the same name exists.

//Remove the Veyon folder from ProgramData
rmdir /s /q "C:\ProgramData\Veyon"

When you import the keys with veyon-wcli the folder structure will be created.

Now you've Veyon running with key authentication.